从 ASP 访问 IIS WMI 提供程序时出现访问被拒绝错误
我有一台运行 IIS 6 的 Windows 2003 服务器,并且有一些脚本可以自动设置和创建网站。他们没有在我调试的新服务器上工作(他们已经在其他 3 台 W2K3 服务器上正常工作)。该问题似乎归结为 IIS 提供程序上的 WMI 安全性。下面的 ASP 代码代表了该问题(尽管它不是导致该问题的原始代码 - 这是该问题的简化演示)。
Set wmiProvider = GetObject("winmgmts:\\.\root\MicrosoftIISv2")
If wmiProvider is Nothing Then
Response.Write "Failed to get WMI provider MicrosoftIISv2<br>"
End If
Response.Write "Querying for IISWebService...<br>"
Set colItems = wmiProvider.ExecQuery("Select * From IISWebServer",,0)
Response.Write "Error: " & Hex(Err.Number) & " (" & Err.Description & ")<br>"
如果我在浏览器中运行此命令,则会在 ExecQuery 调用后报告访问被拒绝错误。我已经从根分支一直向下设置了 IUSR_ 用户的 WMI 访问权限。事实上,我可以很高兴地使用 CIMV2 提供程序查询 IP 地址信息。如果我将 IUSR 用户放入计算机管理员组中,一切都会正常,但我真的不想这样做。
这肯定是 DCOM/WMI 安全问题,但我不知道还有什么问题。任何人都可以阐明吗?
I have a Windows 2003 server running IIS 6 and have some scripts that do automated setup and creation of websites. They are not working on a new server I cam commissioning (they already work happily on 3 other W2K3 servers). The problem appear to boil down to WMI security on the IIS provider. The ASP code below represents the problem (although it is not the original code that causes the problem - this is a simplified demonstration of the problem).
Set wmiProvider = GetObject("winmgmts:\\.\root\MicrosoftIISv2")
If wmiProvider is Nothing Then
Response.Write "Failed to get WMI provider MicrosoftIISv2<br>"
End If
Response.Write "Querying for IISWebService...<br>"
Set colItems = wmiProvider.ExecQuery("Select * From IISWebServer",,0)
Response.Write "Error: " & Hex(Err.Number) & " (" & Err.Description & ")<br>"
If I run this in my browser, I get an access denied error reported after the ExecQuery call. I have set WMI access for the IUSR_ user from the Root branch all the way down. In fact, I can query for IP address information using the CIMV2 provider quite happily. If I put the IUSR user in the machine admins group it all works, but I don't really want to do that.
This must be a DCOM/WMI security problem, but I can't work out what else there is. Can anyone shed any light?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在阅读 G. Stoynev 询问 Windows 日志中是否记录了任何事件的评论后,我检查了我尝试通过 WMI 远程访问 IIS 的服务器上的事件日志,你瞧,我发现了一个包含以下文本的事件:
请参阅相关 SO 问题的此答案中的代码c# - WMI 出现“访问被拒绝”异常。
下面是我添加的一些示例 C# 代码,它似乎可以为我解决这个问题:
After reading G. Stoynev's comment asking if any events were logged in the Windows Logs, I checked the event logs on the server to which I'm attempting to access IIS remotely via WMI, and lo and behold I found an event with the following text:
See the code in this answer to the related SO question c# - "Access is denied" Exception with WMI.
Here's some example C# code that I added that seemed to resolve this issue for me:
如果您打算将其作为自己或管理员的工具运行(而不是未经洗礼的匿名群众),那么这是我过去使用过的一种方法(YMMV):
现在,当您在浏览器中导航到该目录时,您应该会收到登录提示。当您输入在步骤 2 中创建的用户名/密码时,您的脚本将具有执行 WMI 请求的适当权限。
If this is something that you intend to run as a tool for yourself or your admin (as opposed to the unwashed anonymous masses), here is a way I have used in the past (YMMV):
Now, when you navigate to that directory in your browser, you should get a login prompt. When you enter the username/password you created in step 2 your script will have the appropriate rights to perform your WMI requests.
不是 DCOM 问题,更重要的是 WMI 安全和加密问题。尝试更改 GetObject 名字以包含模拟和 pktPrivacy,例如:
Set wmiProvider = GetObject("winmgmts:{impersonationLevel=impersonate;authenticationLevel=pktPrivacy}!\root\MicrosoftIISv2")请参阅以下 MS 文章欲了解更多信息:
http://msdn.microsoft.com/en -us/library/aa393618(v=vs.85).aspx
Not a DCOM issue, more so a WMI security and encryption issue. Try changing the GetObject moniker to include impersonation and pktPrivacy, eg:
Set wmiProvider = GetObject("winmgmts:{impersonationLevel=impersonate;authenticationLevel=pktPrivacy}!\root\MicrosoftIISv2")Refer to the follow MS article for more info:
http://msdn.microsoft.com/en-us/library/aa393618(v=vs.85).aspx